stackoom
  简体   繁体   中英

Storing sensitive infomation

 原文  2016-03-07 20:39:50       java/ security/ java-ee/ encryption

Question

One of my java class will connect to a another server and do some operation using rest services. Java class requires - username and password to connect to remote server. On other machines we used to store the credentials using oracle cwallet.sso but this is not an option for current machine. I am thinking to store the encrypted password in properties file adding some salt. I also need to store the key and salt string to some secure place. do we have any alternative in RHEL for password management like cwallet or any suggestions what to should be the best way to achieve this?

Please note that I will invoke this class using shell script.

Thanks

1 answers

solution1
 2 ACCPTED  2016-03-07 21:29:40

This is tricky, because if someone gets access to your server is already game over. So the solution is not just to encrypt the data, as it won't do much, but you need security in depth.

To put this in context, you can have the password encrypted, salted whatever... When an attacker gets access to the server, he won't be able to read any of those files (even with the encrypted password) unless he is able to become the user running the app. If he manages to do that, he only needs to do a memory dump and then fish for passwords (which is not hard).

So a real world solution is:

  • Only allow a restricted number of people to log on the server.
  • Only allow an even smaller number to become the user which runs the application server.
    • This group of people are the ones who can read/update the properties file
  • Disable any kind of backups on the files that contain secrets.

Again, encrypting passwords on the files might give you a sense of security, but again, if you follow the steps above, anyone who can read the file, will also be able to read the memory contents of the app. And even if someone does things right and stores that password in an bit of offheap memory, some linux tools can read the whole memory map of a process, so again, game over.

Using encryption in this case just adds obscurity and no real protection.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Storing sensitive user data in Android Codename One - Storing sensitive data Storing/Reading sensitive data from Java program Storing sensitive data in java(android) at runtime SQlite printing database infomation What's the best practice for storing encryption keys in a Java Tomcat web app for encrypting/decrypting sensitive data in a database? Java Calendar not displaying right infomation How to store typed infomation in a method from Scanner Is it possible to extract table infomation using Apache Tika? how to get the package infomation of a jar file
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM